The error messages shown here are for Oracle. The equivalent

Chapter 9 

■

Injecting Code

253

In many real-world cases, the database error messages shown will be

trapped by the application and will not be returned to the user’s browser. It

may appear, therefore, that in attempting to discover the structure of the first

query, you are restricted to pure guesswork. However, this is not the case.

There are three important points that mean that your task is normally easy:

■■

In order for the injected query to be capable of being combined with 

the first, it is not strictly necessary that it contain the same data types.

Rather they must be compatible — that is, each data type in the second

query must either be identical to the corresponding type in the first or

be implicitly convertible to it. You have already seen that databases will

implicitly convert a numeric value to a string value. In fact, the value

NULL

can be converted to any data type. Hence, if you do not know the

data type of a particular field, you can simply 

SELECT NULL

for that

field.

■■

In cases where database error messages are trapped by the application,

you can easily determine whether your injected query was executed. If

it has done so, then additional results will be added to those returned

by the application from its original query. This enables you to work sys-

tematically until you discover the structure of the query you need to

inject.

■■

In most cases, you can achieve your objectives simply by identifying a

single field within the original query that has a string data type. This is

sufficient for you to inject arbitrary queries that return string-based

data and retrieve the results, enabling you to systematically extract any

data from the database that you desire.

HACK STEPS

Download 5,76 Mb.

Do'stlaringiz bilan baham: